WO2023155697A1 - Procédé et appareil de traitement de données - Google Patents

Procédé et appareil de traitement de données Download PDF

Info

Publication number
WO2023155697A1
WO2023155697A1 PCT/CN2023/074419 CN2023074419W WO2023155697A1 WO 2023155697 A1 WO2023155697 A1 WO 2023155697A1 CN 2023074419 W CN2023074419 W CN 2023074419W WO 2023155697 A1 WO2023155697 A1 WO 2023155697A1
Authority
WO
WIPO (PCT)
Prior art keywords
program
library
target
vulnerability repair
vulnerability
Prior art date
Application number
PCT/CN2023/074419
Other languages
English (en)
Chinese (zh)
Inventor
周昊
刘瑞超
石飞
董侃
Original Assignee
阿里云计算有限公司
阿里巴巴(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里云计算有限公司, 阿里巴巴(中国)有限公司 filed Critical 阿里云计算有限公司
Publication of WO2023155697A1 publication Critical patent/WO2023155697A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0793Remedial or corrective actions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode

Definitions

  • the present invention relates to the field of computer technology, in particular to a data processing method and device.
  • the Linux operating system is one of the most used operating systems, and the Linux operating system distribution has expanded from several in the traditional IT security field to dozens or even hundreds. Due to the diversity of distributions, Traditional vulnerability repair methods are difficult to apply.
  • the first memory space create a second memory space for target intrusion and loader, and configure a second running environment that is isolated from the first running environment of the first program; wherein, the second memory space is only for the target loader and can be used by programs loaded by it;
  • a bug repair library is loaded in the second memory space, and the bug repair library is used to repair the bug of the first program.
  • the method before using the vulnerability repair library to repair the vulnerability of the first program, the method further includes:
  • intrusion hook guidance information in the vulnerability repair library intrude into the content of the target location in the first program, And establish the hook relationship between the content of the target location and the vulnerability repair library;
  • Use the vulnerability repair library to repair the vulnerability of the target location content including:
  • the first program invokes the content at the target location, it is directed to the vulnerability repair library according to the hooking relationship, so as to repair the vulnerability of the content at the target location.
  • the method before invading the content of the target location in the first program according to the intrusion hooking guidance information in the vulnerability repair library, and establishing the hook relationship between the content of the target location and the vulnerability repair library, the method further includes:
  • the target intrusion and loader includes an intruder and a loader, the intruder is used to intrude and mount the first program, and the loader is used to create a second memory space, configure a second operating environment, and load a vulnerability repair library.
  • the vulnerability remediation library is fetched from the cloud for the target intrusion and loader.
  • the target device is an Internet of Things device
  • the first program is a user mode program
  • the vulnerability repair library acquisition module is used to load the target intrusion and loader into the first memory space of the first program, and obtain the vulnerability repair library for the first program through the target intrusion and loader;
  • the second operating environment configuration module is used to create a second memory space for target intrusion and loader in the first memory space, and configure a second operating environment that is isolated from the first operating environment of the first program; wherein, The second memory space is only used by the target loader and programs that can be loaded by it;
  • the vulnerability repair module is configured to load a vulnerability repair library in the second memory space based on the second operating environment, and use the vulnerability repair library to perform vulnerability repair on the first program.
  • An electronic device includes a processor, a memory, and a computer program stored on the memory and capable of running on the processor.
  • the computer program is executed by the processor, the above data processing method is realized.
  • a computer-readable storage medium on which a computer program is stored, the computer A method for realizing data processing as described above when a computer program is executed by a processor.
  • the target intrusion and loader by loading the target intrusion and loader into the first memory space of the first program deployed by the Linux operating system, and obtaining the vulnerability repair library for the first program through the target intrusion and loader, in In one memory space, create a second memory space for target intrusion and loader, and configure a second operating environment that is isolated from the first operating environment of the first program, and then based on the second operating environment, in the second memory space
  • Load the vulnerability repair library and use the vulnerability repair library to repair the vulnerability of the first program, which realizes the vulnerability repair across Linux distributions, can be applied to different Linux distributions, and only needs to be compiled once, avoiding targeting each Linux distributions compile a different set of binaries, which reduces the difficulty of bug fixes.
  • Fig. 1 is a flow chart of the steps of a data processing method provided by an embodiment of the present invention
  • Fig. 2a is a schematic diagram of the internal operation of a program provided by an embodiment of the present invention.
  • Fig. 2b is a schematic diagram of the internal operation of another program provided by an embodiment of the present invention.
  • Fig. 2c is a schematic diagram of a patch download provided by an embodiment of the present invention.
  • Fig. 2d is a schematic diagram of the internal operation of another program provided by an embodiment of the present invention.
  • Fig. 2e is a schematic diagram of the internal operation of another program provided by an embodiment of the present invention.
  • Fig. 3 is a flow chart of steps of another data processing method provided by an embodiment of the present invention.
  • Fig. 4 is a flow chart of the steps of a data processing example provided by an embodiment of the present invention.
  • Fig. 5 is a structural block diagram of a data processing device provided by an embodiment of the present invention.
  • FIG. 1 it shows a flowchart of steps of a data processing method provided by an embodiment of the present invention
  • the method can be applied to a target device running a Linux operating system
  • the target device can be an Internet of Things device
  • the Linux operating system The system can be deployed with a first program, that is, a host program.
  • the first program is a protected program.
  • the first program can be a user application program running on the Linux operating system, can be a command line tool, or can be a business-level application service or a program running in a container environment, that is, it is a user mode program, and Linux Programs in the operating system are divided into kernel state programs and user state programs.
  • the kernel state program is maintained by the Linux open source team, which provides hardware encapsulation for the lower layer of the computer and a unified system call interface for user state programs. Difference shielding for network and file system.
  • User-mode programs refer to applications based on the Linux kernel and developed by developers, such as browsers, communication software, image processing software, and camera software.
  • Step 101 load the target intrusion and loader into the first memory space of the first program, and obtain a vulnerability repair library for the first program through the target intrusion and loader.
  • the target intrusion and loader (LLIM, Linux Loading and Invasion Machine) can be a binary dynamic loader, which is a shared library that can be loaded together with the loading of the program in the operating system, and it can have two functions :
  • LLIM can be used as an ordinary shared library independent of the binary link position, and can be loaded into the memory space of the program (ie, the first memory space) by the loader of the operating system.
  • LLIM can be a loader with its own self-contained space (that is, the second memory space) and thread isolation mechanism, through which other programs can be loaded, such as security service programs, vulnerability repair libraries, and other programs can be threaded It runs in the process space of the host program (that is, the first program).
  • LLIM Inside LLIM, it can provide a "thread isolation" mechanism to ensure that itself and other ELF shared libraries loaded by LLIM are in memory, and the thread context is completely independent from the execution flow of the host program. That is to say, when the executable code runs on the LLIM body or the memory code range of its loaded binary library, the thread stack, private variables, locks and other resources are independent and autonomous, which can ensure that LLIM and all ELFs loaded by it can run on any Linux hosting environment.
  • a self-contained space isolated from the thread space of the host program can be created through the thread isolation mechanism (ie second memory space).
  • the thread space of the host program can jump to executable programs, shared library entries, and code blocks in LLIM’s own space through Hook and address jump, export function call jump, dlopen interface jump, etc., created by LLIM and Linux environment
  • An unrelated self-contained space can have thread-context-independent libraries, thread-context-independent code blocks, new threads created by LLIM.
  • LLIM may include an intruder and a loader.
  • the intruder can be used to intrude and mount the first program, and the loader can be used to create a second memory space, configure a second operating environment, and load a vulnerability repair library.
  • the host program hooks the Linux intrusion loader LLIM core through binary intrusion, which intrudes and hooks (HOOK) any position of the executable code in the ELF memory of the heterogeneous Linux user mode, and deploys an additional and host program at the hook point
  • An isolated (host context-independent) ELF loader for on-demand loading of shared libraries isolated from the host program context.
  • the intruder in the LLIM core of the Linux intrusion loader can have Linked map Hook (for Android), Instrument Hook (for GNU Linux), Inline Hook (for all Linux instruction-level intrusions), and the loader can have ELF parse, Functions of address redirection and digital signature verification.
  • the Linux operating system In the Linux operating system to be detected and repaired, implant the LLIM intrusion and loader, and allow it to be loaded into the first memory space of the first program when the first program in the system starts running, and continue to survive in the first program In a program body, specifically, before the first program runs, the Linux operating system will be responsible for loading the required shared library for it, and LLIM can be loaded into the process space of the first program in the form of a shared library.
  • the vulnerability repair library is obtained by LLIM from the cloud.
  • LLIM can link to the cloud binary vulnerability patch library through the network. Once a new patch repair push is received from the vulnerability repair library, it will immediately download the repair patch to the vulnerability repair library.
  • the developer develops a vulnerability repair patch according to the CVE repair suggestion, and then the publisher signs the patch and uploads it to the cloud, and then downloads and deploys it by the device equipped with the general Linux binary vulnerability repair Agent of the present invention Bugfix patches.
  • the target binary can be completed by implanting a vulnerability scanning agent inside the Linux system.
  • Control object executable program, shared library
  • CVE Common Vulnerabilities & Exposures, Common Vulnerabilities Exposures, common vulnerability exposure
  • vulnerability library information are matched one by one, and the mechanism of vulnerability generation and some repair suggestions can be retrieved from the CVE information.
  • repair patch developers can develop repair patches in a targeted manner.
  • the repair logic needs to completely replace or partially replace the executable code with vulnerabilities, or modify the parameters and return values of the code. A series of bounds checks.
  • the vulnerability repair patch After the vulnerability repair patch is developed, build it in combination with the specific libc environment supported by LLIM to generate a dynamically linked shared library, and then add intrusion hook guidance information to it, which can be used to indicate the first time to be repaired at runtime Programs perform intrusive hooking.
  • Step 102 in the first memory space, create a second memory space for target intrusion and loader, and configure a second running environment that is isolated from the first running environment of the first program; wherein, the second memory space is only for Used by object loaders and programs that can be loaded by them.
  • LLIM For LLIM, it can create a second memory space for LLIM in the first memory space.
  • the second memory space is only used by LLIM and programs that can be loaded by it, that is, the self-contained space of LLIM.
  • the self-contained space is loaded by the Linux process A namespace created by the compiler to conform to its own libc library link, in which it only loads shared library files in a specific directory for the application.
  • a second operating environment isolated from the first operating environment of the first program can be configured, which can include linking shared libraries, initializing thread context, starting threads, etc.
  • Initializing thread context can include stack, thread private Initialization of variables, devices, and memory management.
  • Step 103 based on the second operating environment, load the vulnerability repair library in the second memory space, and use the vulnerability repair library to repair the bug of the first program.
  • the vulnerability repair library before using the vulnerability repair library to repair the vulnerability of the first program, it may also include: intruding into the content of the target location in the first program according to the intrusion hooking guidance information in the vulnerability repair library, and establishing The attachment relationship between the content of the target location and the vulnerability repair library.
  • using the vulnerability repair library to repair the vulnerability of the target location content may include: when the first program calls the target location content, guide to the vulnerability repair library according to the hook relationship to repair the target location content Make bug fixes.
  • the intrusion hook guidance information may include the repair target library name, the repair target function symbol Name, repair target mount address (that is, target location content), patch function entry symbol name and address.
  • the vulnerability repair library After the vulnerability repair library is downloaded, you can read the binary intrusion hook guidance information in it, and accurately intrude the content of the target location in the first program according to the intrusion hook guidance information, and you can establish a link between the target location content and the vulnerability repair library. connection.
  • the vulnerability repair library can be loaded in it, and the logic of intrusion and hooking can be guided to execute in the logic of the vulnerability repair library, overwriting Delete the original business logic with loopholes in the content of the target location in the first program.
  • the flow of the host program ie, the first program
  • the flow of the host program ie, the first program
  • the intrusion hooking guidance information in the vulnerability repair library before intruding into the content of the target location in the first program according to the intrusion hooking guidance information in the vulnerability repair library, and before establishing the attachment relationship between the content of the target location and the vulnerability repair library, it may further include:
  • the vulnerability repair library can use the digital signature generation tool to digitally sign the private key pair of the RSA system, put the signature information into the digital signature section, and use the LLIM public key for decryption and signature verification at runtime to prevent patch forgery.
  • LLIM can read the content of the digital signature section of the patch library, and use the built-in public key to perform signature verification, and perform subsequent operations after the verification is passed.
  • the target Linux host program body i.e. the first program triggers the starting point of the program to run the program.
  • the code with vulnerabilities i.e. the content of the target location
  • the loader LLIM can be invaded through Linux
  • the core calls the vulnerability repair component in an operating environment that has nothing to do with the host context.
  • the vulnerability repair component can repair the vulnerability with the vulnerability repair code in the vulnerability repair library. After the repair is completed, it can return to the subsequent code of the target Linux host program body.
  • the vulnerability repair patch parser in the vulnerability repair component can parse the patch files in the vulnerability repair library, and then can guide the intrusion.
  • the Linux intrusion loader LLIM core binary The intruder can invade the vulnerable code in the host program with vulnerabilities, and the process is hooked to the vulnerability repair patch deployer in the vulnerability repair component.
  • the vulnerability repair patch deployer is used to guide the process to the vulnerability repair library, and the binary loading in the Linux intrusion loader LLIM core
  • the compiler can load the vulnerability fix library.
  • the vulnerability repair component includes a vulnerability repair patch parser and a patch deployer.
  • the vulnerability repair patch interpreter is an ELF file interpreter, which can interpret the information of each segment and section according to the ELF file header, and the patch deployer will be in After LLIM loads the vulnerability repair patch library, it jumps and guides the logical address of the target to be repaired, so as to realize the jump from the vulnerable program to the patch program.
  • the target intrusion and loader by loading the target intrusion and loader into the first memory space of the first program deployed by the Linux operating system, and obtaining the vulnerability repair library for the first program through the target intrusion and loader, in In one memory space, create a second memory space for target intrusion and loader, and configure a second operating environment that is isolated from the first operating environment of the first program, and then based on the second operating environment, in the second memory space
  • Load the vulnerability repair library and use the vulnerability repair library to repair the vulnerability of the first program, which realizes the vulnerability repair across Linux distributions, can be applied to different Linux distributions, and only needs to be compiled once, avoiding targeting each Linux distributions compile a different set of binaries, which reduces the difficulty of bug fixes.
  • FIG. 3 shows a flowchart of steps of another data processing method provided by an embodiment of the present invention, which may specifically include the following steps:
  • Step 301 load the target intrusion and loader into the first memory space of the first program, and obtain a vulnerability repair library for the first program through the target intrusion and loader.
  • the Linux operating system In the Linux operating system to be detected and repaired, implant the LLIM intrusion and loader, and allow it to be loaded into the first memory space of the first program when the first program in the system starts running, and continue to survive in the first program In a program body, specifically, before the first program runs, the Linux operating system will be responsible for loading the required shared library for it, and LLIM can be loaded into the process space of the first program in the form of a shared library.
  • the vulnerability repair library is obtained by LLIM from the cloud.
  • LLIM can link to the cloud binary vulnerability patch library through the network. Once a new patch repair push is received from the vulnerability repair library, it will immediately download the repair patch to the vulnerability repair library.
  • Step 302 using the preset public key information to perform signature verification on the vulnerability repair library.
  • the vulnerability repair library can use the digital signature generation tool to digitally sign the private key pair of the RSA system, put the signature information into the digital signature section, and use the LLIM public key for decryption and signature verification at runtime to prevent patch forgery.
  • LLIM can read the content of the digital signature section of the patch library, and use the built-in public key to perform signature verification, and perform subsequent operations after the verification is passed.
  • Step 303 After the signature verification is passed, intrude into the content of the target location in the first program according to the intrusion hooking guidance information in the vulnerability repair library, and establish a hook relationship between the content of the target location and the vulnerability repair library.
  • the intrusion mount guidance information may include repair target library name, repair target function symbol name, repair target mount address (ie target location content), patch function entry symbol name and address.
  • the vulnerability repair library After the vulnerability repair library is downloaded, you can read the binary intrusion hook guidance information in it, and accurately intrude the content of the target location in the first program according to the intrusion hook guidance information, and you can establish a link between the target location content and the vulnerability repair library. connection.
  • Step 304 in the first memory space, create a second memory space for target intrusion and loader, and configure a second running environment that is isolated from the first running environment of the first program; wherein, the second memory space is only used for Used by object loaders and programs that can be loaded by them.
  • LLIM For LLIM, it can create a second memory space for LLIM in the first memory space.
  • the second memory space is only used by LLIM and programs that can be loaded by it, that is, the self-contained space of LLIM.
  • the self-contained space is loaded by the Linux process A namespace created by the compiler to conform to its own libc library link, in which it only loads shared library files in a specific directory for the application.
  • a second operating environment isolated from the first operating environment of the first program can be configured, which can include linking shared libraries, initializing thread context, starting threads, etc.
  • Initializing thread context can include stack, thread private Initialization of variables, devices, and memory management.
  • Step 305 based on the second operating environment, load the vulnerability repair library in the second memory space, and guide to the vulnerability repair library according to the hook relationship when the first program calls the target location content, so as to perform vulnerability repair on the target location content .
  • the vulnerability repair library can be loaded in it, and the logic of intrusion and hooking can be directed to Execute in the logic of the vulnerability repair library to overwrite the original business logic with loopholes in the content of the target location in the first program.
  • Step 306 after the vulnerability repair is completed, return to the execution flow of the first program.
  • the flow of the host program ie, the first program
  • the flow of the host program ie, the first program
  • FIG. 4 The embodiment of the present invention is illustrated below in conjunction with FIG. 4:
  • the vulnerability repair component discovers the deployment of the vulnerability repair patch, performs digital signature verification on it, and after passing the digital signature verification, parses the intrusion guidance information (that is, the intrusion mount guidance information), and then instructs the LLIM intruder to treat the repair point (that is, the target location content) for intrusive hooking.
  • the LLIM intruder invades and hooks the target program (namely the first program) that has a vulnerability.
  • the vulnerability repair component guides the LLIM loader to load the vulnerability repair patch and perform thread isolation.
  • the actual execution process of the target program with vulnerabilities at the vulnerability utilization logic jumps to the vulnerability repair logic, the vulnerability repair patch executes the repair, and returns to the target program after the repair is completed.
  • the mounting technology adopted combines the three schemes of Link map, Instrument, and Inline, which can effectively invade the ELF of any Linux system, and can resist the RELRO defense mechanism such as the Android process.
  • Vulnerability repair patch development is simple, you only need to manually develop patches according to the CVE vulnerability mechanism and repair suggestions. And the compilation environment is unified, and there is no need to cross-distribution Linux compilation environments (such as cross-development environments and tool chains such as GNULinux, Android, and OpenWRT).
  • cross-development environments and tool chains such as GNULinux, Android, and OpenWRT.
  • LLIM monitors the patch information online in real time, and can perform hot loading based on memory ELF modification. The process does not restart and the device does not shut down, which greatly facilitates the use of IoT devices.
  • FIG. 5 it shows a schematic structural diagram of a data processing device provided by an embodiment of the present invention.
  • the device can be applied to a target device running a Linux operating system.
  • the Linux operating system can be deployed with a first program, which can specifically include The following modules:
  • the vulnerability repair library acquisition module 501 is configured to load the target intrusion and loader into the first memory space of the first program, and obtain the vulnerability repair library for the first program through the target intrusion and loader.
  • the second operating environment configuration module 502 is configured to create a second memory space for target intrusion and loader in the first memory space, and configure a second operating environment that is mutually isolated from the first operating environment of the first program; wherein , the second memory space is only used by the object loader and programs that can be loaded by it.
  • the vulnerability repair module 503 is configured to load a vulnerability repair library in the second memory space based on the second operating environment, and use the vulnerability repair library to repair the bug of the first program.
  • An attachment relationship establishing module is used for invading the content of the target location in the first program according to the intrusion attachment guidance information in the vulnerability repair library, and establishing an attachment relationship between the content of the target location and the vulnerability repair library.
  • the vulnerability repair module 503 may include:
  • the attachment location repairing submodule is used to guide to the vulnerability repair library according to the attachment relationship when the first program calls the target location content, so as to perform vulnerability repair on the target location content.
  • the return execution module is used to return to the execution flow of the first program after the vulnerability repair is completed.
  • the signature verification module is used to use the preset public key information to perform signature verification on the vulnerability repair library; after the signature verification is passed, call the hook relationship establishment module.
  • the target intrusion and loader includes an intruder and a loader, the intruder is used to intrude and mount the first program, and the loader is used to create a second memory space, configure a second operating environment, and load Bugfix library.
  • the vulnerability repair library is obtained from the cloud by the target intrusion and loader.
  • the first program is a user mode program.
  • An embodiment of the present invention also provides an electronic device, which may include a processor, a memory, and a computer program stored in the memory and capable of running on the processor.
  • a computer program stored in the memory and capable of running on the processor.
  • An embodiment of the present invention also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the above data processing method is realized.
  • the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
  • embodiments of the present invention may be provided as methods, devices, or computer program products. Accordingly, embodiments of the invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • Embodiments of the present invention are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor or processor of other programmable data processing terminal equipment to produce a machine such that instructions executed by the computer or processor of other programmable data processing terminal equipment Produce means for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing terminal to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the The instruction means implements the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Stored Programmes (AREA)

Abstract

Des modes de réalisation de la présente invention concernent un procédé et un appareil de traitement de données, appliqués à un dispositif cible exécutant un système d'exploitation Linux. Un premier programme est déployé dans le système d'exploitation Linux. Le procédé consiste à : charger une machine de chargement et d'invasion cible dans un premier espace de mémoire du premier programme et obtenir une bibliothèque de remédiation de vulnérabilité pour le premier programme au moyen de la machine de chargement et d'invasion cible ; dans le premier espace de mémoire, créer un second espace de mémoire pour la machine de chargement et d'invasion cible et configurer un second environnement d'exécution isolé d'un premier environnement d'exécution du premier programme, le second espace de mémoire étant uniquement utilisé par la machine de chargement cible et un programme qui peut être chargé par la machine de chargement cible ; et, sur la base du second environnement d'exécution, charger la bibliothèque de remédiation de vulnérabilité dans le second espace de mémoire et réaliser une remédiation de vulnérabilité sur le premier programme à l'aide de la bibliothèque de remédiation de vulnérabilité. Les modes de réalisation de la présente invention permettent d'obtenir une remédiation de vulnérabilité sur des distributions Linux, la présente invention est applicable à différentes distributions Linux et une seule compilation est nécessaire.
PCT/CN2023/074419 2022-02-15 2023-02-03 Procédé et appareil de traitement de données WO2023155697A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210138769.4A CN114595461A (zh) 2022-02-15 2022-02-15 一种数据处理的方法和装置
CN202210138769.4 2022-02-15

Publications (1)

Publication Number Publication Date
WO2023155697A1 true WO2023155697A1 (fr) 2023-08-24

Family

ID=81806704

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/074419 WO2023155697A1 (fr) 2022-02-15 2023-02-03 Procédé et appareil de traitement de données

Country Status (2)

Country Link
CN (1) CN114595461A (fr)
WO (1) WO2023155697A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114595461A (zh) * 2022-02-15 2022-06-07 阿里云计算有限公司 一种数据处理的方法和装置
CN114595462A (zh) * 2022-02-15 2022-06-07 阿里云计算有限公司 一种数据处理的方法和装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200311268A1 (en) * 2019-03-29 2020-10-01 Acronis International Gmbh Methods and systems for performing a dynamic analysis of applications for protecting devices from malwares
US20210026947A1 (en) * 2019-07-22 2021-01-28 Cloud Linux Software Inc. Intrusion detection and prevention for unknown software vulnerabilities using live patching
CN112906008A (zh) * 2018-11-15 2021-06-04 百度在线网络技术(北京)有限公司 内核漏洞修复方法、装置、服务器及系统
CN114595461A (zh) * 2022-02-15 2022-06-07 阿里云计算有限公司 一种数据处理的方法和装置
CN114595462A (zh) * 2022-02-15 2022-06-07 阿里云计算有限公司 一种数据处理的方法和装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112906008A (zh) * 2018-11-15 2021-06-04 百度在线网络技术(北京)有限公司 内核漏洞修复方法、装置、服务器及系统
US20200311268A1 (en) * 2019-03-29 2020-10-01 Acronis International Gmbh Methods and systems for performing a dynamic analysis of applications for protecting devices from malwares
US20210026947A1 (en) * 2019-07-22 2021-01-28 Cloud Linux Software Inc. Intrusion detection and prevention for unknown software vulnerabilities using live patching
CN114595461A (zh) * 2022-02-15 2022-06-07 阿里云计算有限公司 一种数据处理的方法和装置
CN114595462A (zh) * 2022-02-15 2022-06-07 阿里云计算有限公司 一种数据处理的方法和装置

Also Published As

Publication number Publication date
CN114595461A (zh) 2022-06-07

Similar Documents

Publication Publication Date Title
WO2023155697A1 (fr) Procédé et appareil de traitement de données
Altekar et al. OPUS: Online Patches and Updates for Security.
US9195476B2 (en) System and method for aggressive self-modification in dynamic function call systems
US9805188B2 (en) Control flow integrity system and method
KR100965706B1 (ko) 코드 재기입이 가능한 컴퓨터 장치 및 코드 재기입 방법
US8738589B2 (en) Classloading technique for an application server that provides dependency enforcement
Pfretzschner et al. Identification of dependency-based attacks on node. js
US20170024230A1 (en) Method, apparatus, and computer-readable medium for ofuscating execution of an application on a virtual machine
US20150332043A1 (en) Application analysis system for electronic devices
Dahse et al. Code reuse attacks in php: Automated pop chain generation
WO2006133222A2 (fr) Systeme d'injection de contrainte permettant de proteger des programmes logiciels contre des vulnerabilites et des attaques
JP2013511077A (ja) 悪意ある実行環境内での静的および動的攻撃からJavaバイトコードを保護するシステムおよび方法
EP3583536B1 (fr) Définition sécurisée d'une composition de système d'exploitation sans création multiple
WO2023155686A1 (fr) Procédé et appareil de traitement de données
Sun et al. Blender: Self-randomizing address space layout for android apps
US20220391541A1 (en) Software provenance validation
Skowyra et al. Systematic analysis of defenses against return-oriented programming
US20110078659A1 (en) Java-Based Application Server that Supports Multiple Component Models
Wan et al. Defending application cache integrity of android runtime
Drake Exploiting memory corruption vulnerabilities in the java runtime
Moriconi et al. Reflections on trusting docker: Invisible malware in continuous integration systems
Zhang et al. Programming smart contract with solidity
Metula Managed code rootkits: hooking into runtime environments
EP4167111B1 (fr) Procédé et appareil de préparation de logiciel unique
Bishop Improvements of User's Security and Privacy in a Web Browser

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23755700

Country of ref document: EP

Kind code of ref document: A1